DNS TXT Record 로 Let's Encrypt SSL 인증서 발급 받기
증상
새로운 서버용으로 let's encrypt 에서 SSL/HTTPS 용 인증서를 발급받는 중에 다음과 같은 에러를 만났습니다.
Failed authorization procedure. new.lesstif.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://new.lesstif.com/.well-known/acme-challenge/NXqaYCws-a46TbVqRqOvLUNWz6LJ3AsMVvTo4RG0e3w: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: new.lesstif.com
Type: connection
Detail: Fetching
http://new.lesstif.com/.well-known/acme-challenge/NXqaYCws-a46TbVqRqOvLUNWz6LJ3AsMVvTo4RG0e3w:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
CODE
에러 메시지
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
CODE
80 포트에 대해 방화벽도 public 으로 열려 있고 검색해 보았지만 도저히 원인을 찾을 수가 없어서 TXT 레코드를 도메인에 추가해서 소유를 인증받은 후에 SSL 인증서를 발급받기로 정했고 그 방법을 정리해 봅니다.
TXT 레코드로 발급
certbot 을 실행할 때 --manual 옵션과 --preferred-challenges dns 을 주어서 실행합니다.
certbot certonly -d new.lesstif.com --manual --preferred-challenges dns
CODEIP 로깅을 허용하겠냐고 묻는 화면에서 Y 를 입력합니다.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y
CODETXT 에 등록할 내용이 출력되면 복사해 둡니다.
Please deploy a DNS TXT record under the name _acme-challenge.new.lesstif.com with the following value: slqQSBrs4rToROM7LyEeBVvI92YXi3JJ-RK6S5OBKNc Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
CODE- DNS 서버에 TXT 레코드를 등록합니다. DNS 서비스 제공자에 따라 화면이 다를 수 있습니다.
새로운 터미널을 열고 정상적으로 등록됐는지 확인합니다.
$ nslookup -q=TXT _acme-challenge.new.lesstif.com Server: 168.126.63.1 Address: 168.126.63.1#53 Non-authoritative answer: _acme-challenge.new.lesstif.com text = "slqQSBrs4rToROM7LyEeBVvI92YXi3JJ-RK6S5OBKNc" Authoritative answers can be found from:
CODE- 기존 let's encrypt 발급 터미널로 간 후에 엔터를 입력합니다.
정상 발급되었는지 확인하고 웹 서버를 설정합니다.
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/new.lesstif.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/new.lesstif.com/privkey.pem
CODE
확인
브라우저로 사이트에 https 로 연결해서 정상적으로 동작하는지 확인합니다.